on the amortized complexity of zero knowledge protocols
play

On the Amortized Complexity of Zero Knowledge Protocols for - PowerPoint PPT Presentation

Dec 25, 2022 •314 likes •569 views

On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations Ronald Cramer 1 ard 2 Valerio Pastro 2 Ivan Damg 1 CWI Amsterdam 2 Aarhus University August 15, 2012 Centrum Wiskunde & Informatica Cramer, Damg ard,

  1. On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations Ronald Cramer 1 ard 2 Valerio Pastro 2 Ivan Damg˚ 1 CWI Amsterdam 2 Aarhus University August 15, 2012 Centrum Wiskunde & Informatica Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 1 / 22

  2. The Problem Scenario P holds x , y , z (in a finite field K ) s.t. z = xy V holds hom. commitments com ( x ) , com ( y ) , com ( z ), of size κ V wants to be sure z = xy P does not want to reveal x , y , z Commitments Homomorphic: com ( a ) · com ( b ) = com ( a + b ) Shorthand: com ( · ) = [ · ] Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 2 / 22

  3. The Problem Motivation Zero Knowledge proofs for satisfiability of Boolean circuits MPC based on additive secret sharing [BDOZ11, DPSZ12] Anonymous credentials, group signatures, . . . Previous and Related Work (Apologies if I forgot any of your papers) 1991 Beaver [Bea91] 1997 Fujisaki, Okamoto [FO97] [CDD + 99] 1999 Cramer et al., 2002 Damg˚ ard, Fujisaki [DF02] 2009 Cramer, Damg˚ ard [CD09] 2012 Ben-Sasson et al. [BSFO12] Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 3 / 22

  4. A Well-Known Solution [Bea91] Protocol P samples uniform a , b ← K P computes c = ab , and sends [ a ] , [ b ] , [ c ] to V V sends a uniform e ← K P opens [ ex − a ] , [ y − b ], define ε := ex − a , δ := y − b P opens [ ez − c − ε b − δ a − εδ ] V checks that P opened to 0 Properties Correctness: P honest = ⇒ ez − c − ε b − δ a − εδ = 0 Soundness: P dishonest = ⇒ Cheat with prob 1 / | K | (guess e ) Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 4 / 22

  5. Room for Improvement What if | K | small (e.g. K = F 2 )? Constant soundness error probability = ⇒ Bad! ⇒ soundness error 2 − l Repeating l times = Communication? O ( κ · l ) Basic Field Case Soundness Error Amortized comm. complexity 2 − l Previous solutions: O ( l · κ ) 2 − l Our work: O ( κ ) Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 5 / 22

  6. Our Solution Ingredients Homomorphic commitments (size = κ ) (for this part: statistically binding, computationally hiding commitment schemes) Linear (multi)secret sharing schemes with R -product reconstruction (share s , share s ′ , reconstruct s · s ′ as linear combo of shares of R players) commitments: not to reveal x , y , z homomorphic: to compute sums on committed values! multi-secret: to use amortization techniques! [CD09]. Amortization: more instances to prove ⇒ better comm. complexity! Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 6 / 22

  7. Digression on LSSS (multi-secret variant of Shamir) How to Share? Secret: x := ( x 1 , . . . , x l ). Polynomial: f x ← K [ X ], with deg( f x ) = t + l f x ( − i ) = x i for i = 1 , . . . , l Shares: f x (1) , . . . , f x ( n ) x l x l − 1 x 1 Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 7 / 22

  8. Digression on LSSS (multi-secret variant of Shamir) How to Share? Secret: x := ( x 1 , . . . , x l ). Polynomial: f x ← K [ X ], with deg( f x ) = t + l f x ( − i ) = x i for i = 1 , . . . , l Shares: f x (1) , . . . , f x ( n ) x l x l − 1 x 1 Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 8 / 22

  9. Digression on LSSS (multi-secret variant of Shamir) How to Share? Secret: x := ( x 1 , . . . , x l ). Polynomial: f x ← K [ X ], with deg( f x ) = t + l f x ( − i ) = x i for i = 1 , . . . , l Shares: f x (1) , . . . , f x ( n ) f x ( n ) f x (3) f x (1) x l x l − 1 x 1 f x (2) Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 9 / 22

  10. Digression on LSSS Product Reconstruction? (Yes, if n > 2( t + l )) Share x , y Local products f x ( i ) · f y ( i ) for > 2( t + l ) i ’s Reconstruct f x · f y Evaluate ( f x · f y )( − i ) for i = 1 , . . . , l Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 10 / 22

  11. Digression on LSSS Product Reconstruction? (Yes, if n > 2( t + l )) Share x , y Local products f x ( i ) · f y ( i ) for > 2( t + l ) i ’s Reconstruct f x · f y Evaluate ( f x · f y )( − i ) for i = 1 , . . . , l Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 11 / 22

  12. Digression on LSSS Product Reconstruction? (Yes, if n > 2( t + l )) Share x , y Local products f x ( i ) · f y ( i ) for > 2( t + l ) i ’s Reconstruct f x · f y Evaluate ( f x · f y )( − i ) for i = 1 , . . . , l Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 12 / 22

  13. Digression on LSSS Product Reconstruction? (Yes, if n > 2( t + l )) Share x , y Local products f x ( i ) · f y ( i ) for > 2( t + l ) i ’s Reconstruct f x · f y Evaluate ( f x · f y )( − i ) for i = 1 , . . . , l Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 13 / 22

  14. Digression on LSSS Product Reconstruction? (Yes, if n > 2( t + l )) Share x , y Local products f x ( i ) · f y ( i ) for > 2( t + l ) i ’s Reconstruct f x · f y Evaluate ( f x · f y )( − i ) for i = 1 , . . . , l z 1 z l z l − 1 Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 14 / 22

  15. Notice: Fact #1 V holds t evals f x ( j ) and f y ( j ) = ⇒ no info on f y ( − i ), f y ( − i ), ( f x · f y )( − i ) revealed to V . Fact #2 f � = g ∈ K [ X ], deg( f ) = 2( t + l ) = deg( g ) = ⇒ f and g agree on at most 2( t + l ) points. Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 15 / 22

  16. Back to the Original Problem. What if . . . ? Toy Protocol – Basic Field Scenario P samples f x , f y ← K [ X ], with deg( f x ) = t + l = deg( f y ), f x ( − i ) = x i , f y ( − i ) = y i P computes f z = f x · f y P commits [ f x ] , [ f y ] , [ f z ] V chooses t indices O ⊂ { 1 , . . . , n } P opens [ f x ]( j ), [ f y ]( j ), [ f z ]( j ) for j ∈ O V accepts iff f x ( j ) · f y ( j ) = f z ( j ) Private x i , y i , z i Fact #1 ⇒ no info revealed on secrets! Soundness Error � t � 2( t + l ) Fact #2 & Choice of O ⇒ soundness error ≤ n Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 16 / 22

  17. Back to the Original Problem. What if . . . ? Toy Protocol – Basic Field Scenario P samples f x , f y ← K [ X ], with deg( f x ) = t + l = deg( f y ), f x ( − i ) = x i , f y ( − i ) = y i P computes f z = f x · f y P commits [ f x ] , [ f y ] , [ f z ] V chooses t indices O ⊂ { 1 , . . . , n } P opens [ f x ]( j ), [ f y ]( j ), [ f z ]( j ) for j ∈ O V accepts iff f x ( j ) · f y ( j ) = f z ( j ) Private x i , y i , z i Fact #1 ⇒ no info revealed on secrets! Soundness Error � t � 2( t + l ) = 2 − l , if t , l = Θ( n ) Fact #2 & Choice of O ⇒ s.e. ≤ n Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 17 / 22

  18. The General Result Shamir: n < | K | = ⇒ general LSSS? Basic Field Case Using a linear (multi)secret sharing scheme over K with K a finite field d players t privacy l secrets R product reconstruction A zero-knowledge protocol for the language � � ( com ( x i ) , com ( y i ) , com ( z i )) l i =1 | x i , y i , z i ∈ K ; x i · y i = z i , � R − 1 � t with soundness error d Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 18 / 22

  19. Parameters Choice of parameters to get negligible soundness error: Basic Field Case Using a linear (multi)secret sharing scheme over K with K a finite field d players d = Θ( l ) t privacy t = Θ( l ) l secrets R product reconstruction R = Θ( l ) A zero-knowledge protocol for the language � � ( com ( x i ) , com ( y i ) , com ( z i )) l i =1 | x i , y i , z i ∈ K ; x i · y i = z i , � R − 1 � t = 2 − l . Amo.Comm.: O ( κ ) with soundness error d Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 19 / 22

  20. Comparisons & Extensions Basic Field Case Soundness Error Amortized comm. complexity 2 − l Our work: O ( κ ) 2 − l Previous solutions: O ( l · κ ) Let’s play! What if values were integers (rather than in a finite field)? We have a solution! k -bit Integers Case Security Notion Our work: Factoring Previous solutions: Strong-RSA Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 20 / 22

  21. Comparisons & Extensions - General Field Case Basic field case: x · y = z . General field case: D ( x 1 , . . . , x v ) = z . Extension of protocol: to prove any algebraic rel. on committed values. Formally, a zero knowledge protocol for the language � ( com ( x 1 , i ) , . . . , com ( x v , i ) , com ( z i )) l i =1 | � x 1 , i , . . . , x v , i , z i ∈ K ; D ( x 1 , i , . . . , x v , i ) = z i , where D is an algebraic circuit. Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 21 / 22

  22. Final Slide Q: Standard commitments: cheating? A: We also consider commitments of the following form � P : v , m v = a · v + b v [ v ] : : a , V b v given by some setup, e.g. the preprocessing phase of [BDOZ11], or [DPSZ12]. Such commitments: Homomorphic (that is all we need!) Information theoretically secure NEW! Can be used over the integers! Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 22 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer (CWI) Ivan Damgrd (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681 Integer One-Way Function (iOWF) maps integers to finite

582 views • 32 slides
Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir authentication protocol

170 views • 16 slides
Amortized Analysis and Union-Find 02283, Inge Li Grtz 1 Today Amortized analysis 3

Amortized Analysis and Union-Find 02283, Inge Li Grtz 1 Today Amortized analysis 3

Amortized Analysis and Union-Find 02283, Inge Li Grtz 1 Today Amortized analysis 3 different methods 2 examples Union-Find data structures Worst-case complexity Amortized complexity 2 Amortized Analysis

610 views • 42 slides
A DVANCED A NALYSIS : A MORTIZATION AND R ECURRECNE R ELATIONS amortized time complexity

A DVANCED A NALYSIS : A MORTIZATION AND R ECURRECNE R ELATIONS amortized time complexity

A DVANCED A NALYSIS : A MORTIZATION AND R ECURRECNE R ELATIONS amortized time complexity accounting method Java vectors Recurrence Relations Advanced Analysis: Amortization 1 Amortized Running Time Amortized running time

913 views • 20 slides
Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis

Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis

Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis Amortized analysis averages the time required to perform a sequence of operations on a data structure over all the operations performed An

2.15k views • 56 slides
Amortized Complexity of Information- Theoretically Secure MPC Revisited Ignacio Cascudo 1 Ronald

Amortized Complexity of Information- Theoretically Secure MPC Revisited Ignacio Cascudo 1 Ronald

Amortized Complexity of Information- Theoretically Secure MPC Revisited Ignacio Cascudo 1 Ronald Cramer 2 , 3 Chaoping Xing 4 Chen Yuan 2 1 Aalborg University 2 CWI Amsterdam 3 Leiden University 4 NTU Singapore CRYPTO, 22 August 2018 Secure

320 views • 29 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents

Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents

Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents Introduction Simple analysis Amortized analysis Amortized analysis in a lazy setting Conclusion Bibliography 2 / 57 The traditional use of types

590 views • 57 slides
On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols Knowledge Protocols Coin Zero Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktrm (KTH) 1 Zero Knowledge [GMR85] Zero

613 views • 22 slides
Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second

Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second

Zero-Knowledge Zero-Knowledge Two-Party Protocols Two-Party Protocols Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Introduction to Zero-Knowledge Third Lecture:

473 views • 31 slides
Amortized Analysis Fibonacci Heaps thanks MIT slides thanks Amortized Analysis by Rebecca

Amortized Analysis Fibonacci Heaps thanks MIT slides thanks Amortized Analysis by Rebecca

Amortized Analysis Fibonacci Heaps thanks MIT slides thanks Amortized Analysis by Rebecca Fiebrink thanks Jay Aslams notes Objectives Amortized Analysis - potential method Fibonacci Heaps - construction - operations running

339 views • 16 slides
Amortized Analysis performed An individual operation may itself be relatively expensive, but

Amortized Analysis performed An individual operation may itself be relatively expensive, but

4/18/2013 Amortized Analysis Amortized analysis averages the time required to perform a sequence of operations on a data structure over all the operations Amortized Analysis performed An individual operation may itself be relatively

507 views • 4 slides
Information Complexity Density and Simulation of Protocols Himanshu Tyagi Indian Institute of

Information Complexity Density and Simulation of Protocols Himanshu Tyagi Indian Institute of

Information Complexity Density and Simulation of Protocols Himanshu Tyagi Indian Institute of Science, Bangalore with Pramod Viswanath (UIUC), Shaileshh Venkatakrishnan (UIUC), and Shun Watanabe (TUAT) Private Coin Interactive Protocols X Y

767 views • 43 slides
Section 2.2: Amortized Loans and Annuities An amortized loan is one in which a large debt assumed

Section 2.2: Amortized Loans and Annuities An amortized loan is one in which a large debt assumed

Section 2.2: Amortized Loans and Annuities An amortized loan is one in which a large debt assumed up-front is Notes, 2.2 MATH 105 (UofL) depleted slowly over time. mathematics, where a large up-front deposit to a savings account is An annuity

475 views • 6 slides
MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of

MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of

Zero-Knowledge Two-Party Protocols MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of Tartu MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge

1.49k views • 122 slides
Introduction to Complexity Theory Winter 2005/06 Dr. Axel Gromann Knowledge Representation and

Introduction to Complexity Theory Winter 2005/06 Dr. Axel Gromann Knowledge Representation and

Introduction to Complexity Theory Winter 2005/06 Dr. Axel Gromann Knowledge Representation and Reasoning Group Artificial Intelligence Institute 1 Computational complexity theory Complexity theory is part of the theory of computation dealing

915 views • 15 slides
Totally Unimodular Matrices m constraints, n variables Vertex solution: unique solution of n

Totally Unimodular Matrices m constraints, n variables Vertex solution: unique solution of n

Totally Unimodular Matrices m constraints, n variables Vertex solution: unique solution of n linearly independent tight inequalities Can be rewritten as: That is: Totally Unimodular Matrices Assuming all entries of A and b are integral When

663 views • 17 slides
Construction of some special classes of stable processes that generalises spatial or temporal

Construction of some special classes of stable processes that generalises spatial or temporal

Motivation and application examples Overview on -stable variables and processes Construction of some special classes of stable processes that generalises spatial or temporal Gaussian processes. Nourddine Azzaoui works with G.W. Peters, L.

1.23k views • 48 slides
Institute of Telecommunications (ITK) Joint Localiza,on Algorithms for Network

Institute of Telecommunications (ITK) Joint Localiza,on Algorithms for Network

T Ss. Cyril and Methodius University in Skopje Faculty of Electrical Engineering and Information Technologies (FEEIT) Institute of Telecommunications (ITK) Joint Localiza,on Algorithms for Network Topology Ambiguity

703 views • 25 slides
Nonlinear Signal Processing 2007-2008 Course Overview Instituto Superior T ecnico, Lisbon,

Nonlinear Signal Processing 2007-2008 Course Overview Instituto Superior T ecnico, Lisbon,

Nonlinear Signal Processing 2007-2008 Course Overview Instituto Superior T ecnico, Lisbon, Portugal Jo ao Xavier jxavier@isr.ist.utl.pt Introduction This course is about applications of differential geometry in signal processing

1.34k views • 78 slides
Introduction to Computer Graphics Toshiya Hachisuka Lecturer Toshiya Hachisuka

Introduction to Computer Graphics Toshiya Hachisuka Lecturer Toshiya Hachisuka

Introduction to Computer Graphics Toshiya Hachisuka Lecturer Toshiya Hachisuka first last Leading the computer graphics group Office: I-REF 503 http://www.ci.i.u-tokyo.ac.jp/~hachisuka Today

1.58k views • 58 slides
Ray Tracing CPSC 453 Fall 2018 Sonny Chan Ray Tracing A method for synthesizing images of

Ray Tracing CPSC 453 Fall 2018 Sonny Chan Ray Tracing A method for synthesizing images of

Ray Tracing CPSC 453 Fall 2018 Sonny Chan Ray Tracing A method for synthesizing images of virtual 3D scenes. Image Capture Devices Which one shall we use? Goal: Simulate a Camera Obscura! Spheres &amp; Checkerboard Turner Whitted,

665 views • 44 slides
Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole normale sup erieure/PSL &amp; INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David Pointcheval 1/51 Hard

300 views • 17 slides
Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge- hammer Ioanna M. Dimitriou H. and Peter Koepke, University of Bonn, Germany AITP 2016 Obergurgl, Austria, April 3-7, 2016 Revisiting Paulsons

703 views • 33 slides

More recommend